Zum Ende der Metadaten springen
Zum Anfang der Metadaten

Sie zeigen eine alte Version dieser Seite an. Zeigen Sie die aktuelle Version an.

Unterschiede anzeigen Seitenhistorie anzeigen

« Vorherige Version anzeigen Version 19 Nächste Version anzeigen »

This page aims to provide you with a step-by-step guide on how to use public key authentication to connect to the HLRN.

Summary

  1. Create SSH keypair with a passphrase that is not used anywhere else.
  2. Upload the public key on our Service Portal.
  3. Specify your new key when connecting to our frontends (either via ssh -i <yourkey> or in your ssh config.

Step-by-step guide

SSH Key Generation

Generating your key differs depending on the SSH implementation. The default for Linux and MacOS is OpenSSH. This is also available (without extra installation) in more recent versions of Windows.

OpenSSH

On your local system, run ssh-keygen in the terminal of your choice to create an SSH key pair (type RSA) with a size of 4096 bits. During the key generation process you will be asked for a passphrase to protect the key:

$ ssh-keygen -t rsa -b 4096 -f $HOME/.ssh/id_rsa_hlrn
Generating public/private rsa key pair. 
Enter file in which to save the key (/home/user/.ssh/id_rsa_hlrn):                 
Enter passphrase (empty for no passphrase): ************************
Enter same passphrase again: ************************
Your identification has been saved in /home/user/.ssh/id_rsa_hlrn.
Your public key has been saved in /home/user/.ssh/id_rsa_hlrn.pub.  
The key fingerprint is:  
b8:df:d1:14:48:03:00:68:5e:46:9c:1a:b2:b2:d4:f4 user@host  
The key's random art image is:   
+--[ RSA 4096]----+ 
|   +oo....o      |  
|. +.=    . o     | 
| =o=.     . .    |  
|o.o. E .     .   |  
|o.    . S   .    | 
|.      .   o     |  
|      .   . .    |  
|       . . .     | 
|        . .      | 
+-----------------+

In this example, the private key is saved in the file /home/user/.ssh/id_rsa_hlrn, the corresponding public key in the file /home/user/.ssh/id_rsa_hlrn.pub. If you run this command, user will be replaced by your local username.

Verify that you indeed have a passphrase on your private key with

ssh-keygen -yf $HOME/.ssh/id_rsa_hlrn
Enter passphrase:

If you are not asked for a passphrase, please use ssh-keygen =pf $HOME/.ssh/id_rsa_hlrn to create a passphrase. Once you are certain that you have set a passphrase to protect the key you can safely continue with uploading the public key as described below.

We recommend to use a good comment (ssh-keygen -C "<comment>" -f <...> ) to conveniently identify your key later on.

PuTTY

Under Windows, SSH key pairs can be generated with the tool PuTTYgen which is part of the PuTTY installation package and also available separately.



  • Select: Type of key to generate: SSH-2 RSA
  • Fill in: Number of bits in a generated key: 4096
  • Press: Generate
  • Fill in: your key passphrase
  • Fill in: confirm your passphrase
  • copy the shown public key to a file somewhere for uploading
    (don't use "Save public key" for upload to HLRN, wrong formatting here)
  • Press: Save private key
  • Please remember the path name where you saved your SSH key files!

SSH Public Key Upload

Before you can log in to one of the HLRN login nodes, you first have to upload your SSH public key (not the private one) at the HLRN Service Portal. There you can also perform other administrative tasks like displaying or removing (public) keys.

At the HLRN Service Portal choose the item "Manage keys" / "Verwalten Ihrer Keys". For the key management you will have to log in using your HLRN account and your portal password.

For security reasons, the upload is done in two steps:

  1.  Press the button "Request upload of a new key" / "Upload eines neuen Schlüssels anfordern". After pressing the upload request button, you will need to confirm that you will adhere to the HLRN key usage policy. The most important points here are: to always use a passphrase to protect the key and to never give access to your private key to others. Please read carefully and make sure you understand the implications of this agreement.
  2. In the next step, an e-mail is sent to your registered mail address containing a one-time URL. Use this URL (click it or copy it into the address field of your browser) to go to the page containing the actual upload button.

You can upload up to seven SSH public keys to the HLRN portal.

The SSH public keys are stored centrally in the HLRN LDAP service. Do not add SSH keys to your $HOME/.ssh/authorized_keys file at HLRN for login to HLRN from external machines. This file is only used for HLRN internal authentication and will not grant access from the outside.

  Workaround to display hidden files

Directory .ssh is a hidden directory. If it is not shown by default, you might need to enter ~/.ssh in the location box.

At least with Safari you can press command-shift-G and manually enter ~/.ssh.

Also, you can press CTRL-H to toggle between showing and not showing hidden files.

Or, another workaround: copy your public key file to a path not containing any hidden files/directories.

SSH Key Login

OpenSSH

With the -i option to the ssh command you can specify the full path of your private SSH key file when you log in to one of the HLRN login nodes. You will be asked for the passphrase of your private key.

Example for a login to blogin (Berlin):

$ ssh -i $HOME/.ssh/id_rsa_hlrn -l your_username blogin.hlrn.de
Enter passphrase for key '/<home_directory>/.ssh/id_rsa_hlrn':
[...]


Use the SSH configuration file $HOME/.ssh/config to permanently store options for specific SSH connections, so that they can be omitted on the command line.

For example, by adding the following to $HOME/.ssh/config :

Host blogin
    Hostname blogin.hlrn.de
    IdentityFile ~/.ssh/id_rsa_hlrn
    User your_username

Now the ssh command will automatically choose the proper credentials in the future, i. e., -l your_username and -i <private_key> can be omitted from the command line, so that ssh blogin  is sufficient.

PuTTY

In PuTTY, you have to add/select your private key to Connection → SSH → Auth to be able to log in.


  • Keine Stichwörter